Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-3718

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-07 Jun, 2018 | 02:00
Updated At-16 Sep, 2024 | 20:36
Rejected At-
Credits

serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:07 Jun, 2018 | 02:00
Updated At:16 Sep, 2024 | 20:36
Rejected At:
▼CVE Numbering Authority (CNA)

serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.

Affected Products
Vendor
HackerOneHackerOne
Product
serve node module
Versions
Affected
  • All versions
Problem Types
TypeCWE IDDescription
CWECWE-177Improper Handling of URL Encoding (Hex Encoding) (CWE-177)
Type: CWE
CWE ID: CWE-177
Description: Improper Handling of URL Encoding (Hex Encoding) (CWE-177)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://hackerone.com/reports/308721
x_refsource_MISC
Hyperlink: https://hackerone.com/reports/308721
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://hackerone.com/reports/308721
x_refsource_MISC
x_transferred
Hyperlink: https://hackerone.com/reports/308721
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:07 Jun, 2018 | 02:29
Updated At:28 Feb, 2023 | 18:08

serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches
zeit
zeit
>>serve>>Versions before 6.5.2(exclusive)
cpe:2.3:a:zeit:serve:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-177Secondarysupport@hackerone.com
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-177
Type: Secondary
Source: support@hackerone.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://hackerone.com/reports/308721support@hackerone.com
Exploit
Patch
Third Party Advisory
Hyperlink: https://hackerone.com/reports/308721
Source: support@hackerone.com
Resource:
Exploit
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

189Records found
CVE-2017-16172
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

section2.madisonjbrooks12 is a simple web server. section2.madisonjbrooks12 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-section2.madisonjbrooks12_projectHackerOne
Product-section2.madisonjbrooks12section2.madisonjbrooks12 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16079
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Action-Not Available
Vendor-smb_projectHackerOne
Product-smbsmb node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16181
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 03:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wintiwebdev is a static file server. wintiwebdev is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-wintiwebdev_projectHackerOne
Product-wintiwebdevwintiwebdev node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16182
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

serverxxx is a static file server. serverxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-serverxxx_projectHackerOne
Product-serverxxxserverxxx node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16155
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

fast-http-cli is the command line interface for fast-http, a simple web server. fast-http-cli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-fast-http-cli_projectHackerOne
Product-fast-http-clifast-http-cli node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16073
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

noderequest was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Action-Not Available
Vendor-noderequest_projectHackerOne
Product-noderequestnoderequest node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16205
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The coffescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

Action-Not Available
Vendor-coffescript_projectHackerOne
Product-coffescriptcoffeescript node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16161
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

shenliru is a simple file server. shenliru is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-shenliru_projectHackerOne
Product-shenlirushenliru node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16163
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dylmomo is a simple file server. dylmomo is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-dylmomo_projectHackerOne
Product-dylmomodylmomo node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16194
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

picard is a micro framework. picard is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-picard_projectHackerOne
Product-picardpicard node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16133
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 23:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

goserv is an http server. goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-goserv_projectHackerOne
Product-goservgoserv node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16072
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nodemailer.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Action-Not Available
Vendor-nodemailer.js_projectHackerOne
Product-nodemailer.jsnodemailer.js node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16170
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

liuyaserver is a static file server. liuyaserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-liuyaserver_projectHackerOne
Product-liuyaserverliuyaserver node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16175
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ewgaddis.lab6 is a file server. ewgaddis.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-ewgaddis.lab6_projectHackerOne
Product-ewgaddis.lab6ewgaddis.lab6 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16217
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

fbr-client sends files through sockets via socket.io and webRTC. fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-webrtc-experimentHackerOne
Product-fbr-clientfbr-client node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16120
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

liyujing is a static file server. liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-liyujing_projectHackerOne
Product-liyujingliyujing node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16141
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lab6drewfusbyu is an http server. lab6drewfusbyu is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-lab6drewfusbyu_projectHackerOne
Product-lab6drewfusbyulab6drewfusbyu node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16094
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iter-http is a server for static files. iter-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-iter-http_projectHackerOne
Product-iter-httpiter-http node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16132
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

simple-npm-registry is a local npm package cache. simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-simple-npm-registry_projectHackerOne
Product-simple-npm-registrysimple-npm-registry node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16096
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 03:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

serveryaozeyan is a simple HTTP server. serveryaozeyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Action-Not Available
Vendor-serveryaozeyan_projectHackerOne
Product-serveryaozeyanserveryaozeyan node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16197
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.83%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

qinserve is a static file server. qinserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-qinserve_projectHackerOne
Product-qinserveqinserve node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16207
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.3||HIGH
EPSS-0.20% / 42.20%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

discordi.js is a malicious module based on the discord.js library that exfiltrates login tokens to pastebin.

Action-Not Available
Vendor-discordi.js_projectHackerOne
Product-discordi.jsdiscordi.js node module
CWE ID-CWE-506
Embedded Malicious Code
CVE-2017-16201
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

zjjserver is a static file server. zjjserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-zjjserver_projectHackerOne
Product-zjjserverzjjserver node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16083
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

node-simple-router is a minimalistic router for Node. node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Action-Not Available
Vendor-node-simple-routerHackerOne
Product-node-simple-routernode-simple-router node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16190
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dcdcdcdcdc is a static file server. dcdcdcdcdc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-dcdcdcdcdc_projectHackerOne
Product-dcdcdcdcdcdcdcdcdcdc node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16169
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

looppake is a simple http server. looppake is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-looppake_projectHackerOne
Product-looppakelooppake node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16220
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wind-mvc is an mvc framework. wind-mvc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-wind-mvc_projectHackerOne
Product-wind-mvcwind-mvc node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16028
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-0.41% / 60.39%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 19:00
Updated-17 Sep, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Action-Not Available
Vendor-randomatic_projectHackerOne
Product-randomaticreact-native-meteor-oauth node module
CWE ID-CWE-330
Use of Insufficiently Random Values
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2017-16199
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

susu-sum is a static file server. susu-sum is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-susu-sum_projectHackerOne
Product-susu-sumsusu-sum node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16204
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The jquey module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

Action-Not Available
Vendor-jquey_projectHackerOne
Product-jqueyjquey node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16178
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

intsol-package is a file server. intsol-package is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-intsol-package_projectHackerOne
Product-intsol-packageintsol-package node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16156
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

myprolyz is a static file server. myprolyz is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-myprolyz_projectHackerOne
Product-myprolyzmyprolyz node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16057
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nodemssql was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Action-Not Available
Vendor-nodemssql_projectHackerOne
Product-nodemssqlnodemssql node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16103
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

serveryztyzt is a simple http server. serveryztyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Action-Not Available
Vendor-serveryztyzt_projectHackerOne
Product-serveryztyztserveryztyzt node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16157
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

censorify.tanisjr is a simple web server and API RESTful service. censorify.tanisjr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-censorify.tanisjr_projectHackerOne
Product-censorify.tanisjrcensorify.tanisjr node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16144
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

myserver.alexcthomas18 is a file server. myserver.alexcthomas18 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-myserver.alexcthomas18_projectHackerOne
Product-myserver.alexcthomas18myserver.alexcthomas18 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16122
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-cuciuci_projectHackerOne
Product-cuciucicuciuci node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16047
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.34% / 55.98%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 20:00
Updated-16 Sep, 2024 | 22:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Action-Not Available
Vendor-mysqljs_projectHackerOne
Product-mysqljsmysqljs node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16092
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sencisho is a simple http server for local development. Sencisho is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Action-Not Available
Vendor-sencisho_projectHackerOne
Product-sencishosencisho node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16184
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

scott-blanch-weather-app is a sample Node.js app using Express 4. scott-blanch-weather-app is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-scott-blanch-weather-app_projectHackerOne
Product-scott-blanch-weather-appscott-blanch-weather-app node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16059
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mssql-node was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Action-Not Available
Vendor-mssql-node_projectHackerOne
Product-mssql-nodemssql-node node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16196
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 00:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

quickserver is a simple static file server. quickserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-quickserver_projectHackerOne
Product-quickserverquickserver node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16153
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.57% / 67.71%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 20:00
Updated-16 Sep, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-gaoxuyan_projectHackerOne
Product-gaoxuyangaoxuyan node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16146
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mockserve is a file server. mockserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-mockserve_projectHackerOne
Product-mockservemockserve node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16121
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

datachannel-client is a signaling implementation for DataChannel.js. datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-datachannel-client_projectHackerOne
Product-datachannel-clientdatachannel-client node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16171
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

hcbserver is a static file server. hcbserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-hcbserver_projectHackerOne
Product-hcbserverhcbserver node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16221
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.35%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

yzt is a simple file server. yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-yzt_projectHackerOne
Product-yztyzt node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16029
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.56% / 67.40%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 19:00
Updated-17 Sep, 2024 | 00:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

hostr is a simple web server that serves up the contents of the current directory. There is a directory traversal vulnerability in hostr 2.3.5 and earlier that allows an attacker to read files outside the current directory by sending `../` in the url path for GET requests.

Action-Not Available
Vendor-hostr_projectHackerOne
Product-hostrhostr node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16060
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 03:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

babelcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Action-Not Available
Vendor-babelcli_projectHackerOne
Product-babelclibabelcli node module
CWE ID-CWE-506
Embedded Malicious Code
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-16225
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.32% / 54.09%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

aegir is a module to help automate JavaScript project management. Version 12.0.0 through and including 12.0.7 bundled and published to npm the user (that performed a aegir-release) GitHub token.

Action-Not Available
Vendor-aegir_projectHackerOne
Product-aegiraegir node module
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found